US11621976B2ActiveUtilityA1

Malicious host detection

72
Assignee: BRITISH TELECOMMPriority: Aug 2, 2017Filed: Jul 30, 2018Granted: Apr 4, 2023
Est. expiryAug 2, 2037(~11.1 yrs left)· nominal 20-yr term from priority
G06N 3/09G06N 3/0499G06N 3/0455H04L 63/145G06N 20/00G06N 3/088G06F 21/566G06N 3/045G06N 3/0454
72
PatentIndex Score
2
Cited by
37
References
9
Claims

Abstract

A method for detecting malware software in a computer system includes accessing a plurality of hostnames for a malware server from a computer system infected with malware and attempting to communicate with the malware server, each hostname including a plurality of symbols in each of a plurality of symbol positions; training an autoencoder based on each of the plurality of hostnames, wherein the autoencoder includes: a set of input units for each possible symbol and symbol position in a hostname; output units each for storing an output of the autoencoder; and a set of hidden units smaller in number than the set of input units and each interconnecting all input and all output units with weighted interconnections, such that the autoencoder is trainable to provide an approximated reconstruction of values of the input units at the output units; selecting a set of one or more symbol and symbol position tuples based on weights of interconnections in the trained autoencoder; and identifying infected computer systems based on their attempted communication to hostnames having symbols in symbol positions consistent with the tuples in the set.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A method for detecting malware software in a network connected computer system comprising:
 accessing a plurality of hostnames for a malware server from a training computer system infected with malware and attempting to communicate with the malware server, each of the plurality of hostnames including a plurality of symbols in each of a plurality of symbol positions; 
 training an autoencoder based on each of the plurality of hostnames, wherein the autoencoder includes:
 a set of input units for each possible symbol and symbol position in a hostname, output units each for storing an output of the autoencoder, and 
 a set of hidden units smaller in number than the set of input units and each interconnecting all input units and all output units with weighted interconnections, such that the autoencoder is trainable to provide an approximated reconstruction of values of the input units at the output units; 
 
 selecting a set of one or more symbol and symbol position tuples based on weights of interconnections in the trained autoencoder; and 
 identifying an infected computer system based on an attempted communication, by the infected computer system, to hostnames having symbols in symbol positions at least partially consistent with the tuples in the set of one or more symbol and symbol position. 
 
     
     
       2. The method of  claim 1 , wherein, responsive to the identifying, the method further comprises implementing a responsive measure to mitigate an effect or further spread of malware infecting the identified infected computer system. 
     
     
       3. The method of  claim 2 , wherein the responsive measure includes one or more of:
 preventing network communication by the identified infected computer system; 
 instigating at least one of a malware removal process or a virus removal process for the identified infected computer system; 
 flagging the identified infected computer system; or 
 using the identified infected computer system to generate a second plurality of hostnames for further training the autoencoder. 
 
     
     
       4. The method of  claim 1 , wherein the attempted communication by the infected computer system includes storage of a hostname by the computer system for use in communicating with another computer system by way of the hostname. 
     
     
       5. The method of  claim 1 , wherein each input unit corresponds to a symbol and a symbol position in a hostname. 
     
     
       6. The method of  claim 1 , wherein the autoencoder is trainable using a backpropagation algorithm for adjusting weights of interconnections between the input units, the output units, and the hidden units of the autoencoder. 
     
     
       7. The method of  claim 1 , wherein training the autoencoder further includes using a gradient descent algorithm. 
     
     
       8. A computer system comprising:
 a processor and memory storing computer program code for detecting malware software in a network connected computer system by:
 accessing a plurality of hostnames for a malware server from a training computer system infected with malware and attempting to communicate with the malware server, each of the plurality of hostnames including a plurality of symbols in each of a plurality of symbol positions; 
 training an autoencoder based on each of the plurality of hostnames, wherein the autoencoder includes: 
 a set of input units for each possible symbol and symbol position in a hostname, 
 output units each for storing an output of the autoencoder, and 
 a set of hidden units smaller in number than the set of input units and each interconnecting all input units and all output units with weighted interconnections, such that the autoencoder is trainable to provide an approximated reconstruction of values of the input units at the output units; 
 
 selecting a set of one or more symbol and symbol position tuples based on weights of interconnections in the trained autoencoder; and 
 identifying an infected computer system based on an attempted communication, by the infected computer system, to hostnames having symbols in symbol positions at least partially consistent with the tuples in the set of one or more symbol and symbol position. 
 
     
     
       9. A non-transitory computer-readable storage element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer system to perform the method as claimed in  claim 1 .

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.